In today's digital age, systems and computing applications are increasingly geared to solutions enabling convenient and remote access to sensitive information and performance of sensitive transactions. A key technical challenge for many such systems and applications is the ability to verify the identity or authenticity of the user provided with the remote capabilities. Capabilities for more reliably verifying a user's identity are increasingly becoming critical features of most digital platforms, enterprise networks, cloud services, websites, apps, etc. and even end-user devices, such as smartphones that may themselves contain sensitive information.
The most common form of authentication today is the requirement for a username and/or password. Some systems also include supplementary or alternative techniques, such as a requirement to answer security questions, to supply additional credentials such as a certificate or token, or to supply a one-time code received by the user in in an out-of-band message, such as via text or e-mail, or as generated based on a secret key, for example. Other additional or alternative techniques may include a requirement for biometric information, such as a fingerprint, facial recognition, etc.
These techniques, however, are vulnerable and may overburden the end user. For example, passwords, shared secrets, and some biometric information are vulnerable to replication or fraudulent discovery, such as may be learned through data theft, social engineering, eavesdropping, or other criminal acts. Thus, these techniques alone, may not be satisfactory.
Traditional supplementary techniques are also known to create friction for valid users by making the authentication process slower and more cumbersome to complete, often requiring additional user-involved steps as part of the authentication process. Typical authentication processes also do not discriminate between certain user actions for which additional authentication steps may be beneficial considering the risk or frequency involved. Thus, it is desired to provide improved authentication processes to increase confidence in verifying a user's identity based on information not easily discoverable or replicated, and while not overburdening the user with additional user-involved authentication steps.